Requirements | Utimaco Integration Guides

Utimaco CryptoServer

This integration uses the SecurityServer-V4.01.x product CD. Note that this is a quick guide which should be used in conjunction with Utimaco's PKCS#11 manual. Utimaco's PKCS#11 documentation can be found on the product CD: <utimaco folder>/Documentation/Crypto_APIs/PKCS_11_R2/.

On the SSH Universal Key Manager appliance, create the directory /opt/cs/pkcs11_r2 or as appropriate. This guide uses that path for simplicity.

PKCS#11 R2

In order to use the Utimaco HSM as a PKCS#11 device for the SSH Universal Key Manager, you need two files from the product CD. The files needed are *cs_pkcs11_R2.cfg* and *libcs_pkcs11_R2.so*. +
cs_pkcs11_R2.cfg serves as a configuration file for the PKCS#11_R2 shared object library. Use scp to copy these two files from the installation media to the appliance, placing them into /opt/cs/pkcs11_r2.

Setting up the environment

In order for the library to find the configuration file, set the CS_PKCS11_R2_CFG environment variable to point at the configuration file:

>_Console

# export CS_PKCS11_R2_CFG=/opt/cs/pkcs11_r2/cs_pkcs11_R2.cfg

Module configuration

To establish a connection with your HSM you need to edit the configuration file. It is highly recommended to take a look at Utimaco's manual to adapt the PKCS#11 module to fit your needs. Depending on the device you are using (PCI/CSLAN/Simulator) you need to adjust the Device Specifier.
You will need to edit the configuration file so that the active [CryptoServer] Device = 288@<ipaddr> line points at the remote HSM or cluster that you are targeting. Also consider setting the SlotCount to 1. Further configuration options are available, see the PKCS#11 Administrator manual in the Documentation folder referenced above.

Token creation

If you do not already have a PKCS#11 R2 Slot 0 available on the CryptoServer cluster, the quickest way is to follow chapter two of the PKCS#11 Hands On pdf. This document is available in the Utimaco SecurityServer installation, at <utimaco folder>/Software/Crypto_APIs/PKCS#11_R2/doc/. The hands-on guide describes setting up a Security Officer and slot PIN.

You can use p11tool2 or p11cat (the PKCS#11 CryptoServer Administration Tool) to do so. See the provided documentation for details on how to manage the PKCS#11 API.